I. Introduction
The Board is committed to protecting the confidentiality of student information obtained, created and/or maintained by the District. Student privacy and the District's use of confidential student information are protected by federal and state law, including the Family Educational Rights and Privacy Act (FERPA) and the Student Data Transparency and Security Act (the Act). The Board directs District staff to manage its students data privacy, protection and security obligations in accordance with this policy and applicable law.
II. Definitions
- "Student education records" means any record in handwriting, print, tape, film or other medium maintained by the District or an employee of the District maintained in the student's permanent file, which may contain but shall not necessarily be limited to the following information: identifying data; academic work completed; level of achievement (grades, standardized achievement test scores); attendance data, scores on standardized intelligence, aptitude and psychological tests; interest inventory results; health data; family background information; teacher or counselor ratings and observations, any individual education program (IEP), reports or serious or recurrent behavior patterns, and disciplinary information involving a student.
- "Student personally identifiable information" ("PII") means information that, alone or in combination, personally identifies an individual student or the student's parent or family, and that is collected, maintained, generated, or inferred by the District, either directly or through a school service, or by a school service contract provider or school service on-demand provider.
- "Security breach" means the unauthorized disclosure of student education records or PII by a third party.
- The District shall follow applicable law and Board policy in the District's access to, collection and sharing of student education records.
- District employees shall ensure that confidential information in student education records is disclosed within the District only to officials who have a legitimate educational interest, in accordance with applicable law and Board policy.
- District employees shall ensure that student education records are disclosed to persons and organizations outside the District only as authorized by applicable law and Board policy.
- The term "organizations outside the District" includes school service on-demand providers and school service contract providers.
- Any contract between the District and a school service contract provider shall include the provisions required by the Act, including provisions that require the school service contract provider to safeguard the privacy and security of PII and impose penalties on the school service contract provider for noncompliance with the contract.
- In accordance with the Act, the District shall post the following on its website:
- A list of the school service contract providers that it contracts with and a copy of each contract; and
- To the extent practicable, a list of the school service on-demand providers that the District uses.
- Employees who disclose student education records in a manner inconsistent with applicable law and Board policy may be subjected to disciplinary action, up to and including termination from employment. Any discipline imposed shall be in accordance with applicable law and Board policy.
- Employee concerns about a possible security breach shall be reported immediately to their supervisor, or Chief Information Officer or designee. If the supervisor is the person alleged to be responsible for the security breach, the staff member shall report the concern to the Chief Information Officer or designee.
- When the District determines that a school service contract provider has committed a material breach of its contract with the District, and that such material breach involves the misuse or unauthorized release of PII, the District shall follow this policy's accompanying regulation in addressing the material breach.
- Nothing in this policy or its accompanying regulation shall prohibit or restrict the District from terminating its contract with the school service contract provider, as deemed appropriate by the District and in accordance with the contract and the Act.
- The Chief Information Officer or designee shall be responsible for ensuring compliance with this policy and its required privacy and security standards.
- The District's practices with respect to student data privacy and the implementation of this policy shall be periodically audited by the Chief Financial Officer or designee.
- Any privacy and security audit shall be performed by the District on a periodic basis. Such audit shall include a review of existing user access to and the security of student education records and PII.
- The District shall comply with FERPA and its regulations, the Act, and other state and federal laws governing the confidentiality of student education records. The District shall be entitled to take all actions and exercise all options authorized under the law.
- In the event this policy or accompanying regulation does not address a provision in applicable state or federal law, or is inconsistent with or in conflict with applicable state or federal law, the provisions of applicable state or federal law shall control.